#VU15740 Privilege escalation in Oracle VM VirtualBox

Cybersecurity Help s.r.o.

Published: 2018-11-07

Vulnerability identifier: #VU15740

Vulnerability risk: Low

CVSSv4.0: 7.1 [CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-121

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Oracle VM VirtualBox
Server applications / Virtualization software

Vendor: Oracle

Description

The vulnerability allows an adjacent attacker to gain elevated privileges on the target system.

The weakness exists in a shared code base of the virtualization software on virtual machines configured with the Intel PRO/1000 MT Desktop (82540EM) network adapter in Network Address Translation (NAT) mode due to default setup that may lead to multiple boundary errors. An adjacent attacker can trigger an integer underflow condition using packet descriptors - data segments that allow the network adapter to track network packet data in the system memory, to read data from the guest OS to cause heap-based buffer overflow that may lead to overwriting function pointers; or to cause a stack overflow condition.

Successful exploitation of the vulnerability allows an adjacent attacker with root/administrator privileges to escape the virtual environment of the guest machine and reach the Ring 3 privilege layer to escalate privileges to ring 0 via /dev/vboxdrv.

Mitigation
Until the patched VirtualBox build is out you can change the network card of your virtual machines to PCnet (either of two) or to Paravirtualized Network. If you can't, change the mode from NAT to another one. The former way is more secure.

Vulnerable software versions

Oracle VM VirtualBox: 5.0.7 - 5.0.27, 5.1.2 - 5.1.36, 5.2.0 - 5.2.20

External links
https://github.com/MorteNoir1/virtualbox_e1000_0day

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Privilege escalation in Oracle Virtualbox